Typical access-control mechanisms do not distinguish between input provided by people and input provided by software. As a result, rogue software running on a system can mimic the behavior of a human user and gain unauthorized access to protected resources. For example, a keystroke logger can capture a user's account name and password and later replay them as part of an access-verification sequence. Similarly, typical access-control mechanisms are susceptible to brute force attacks such as a dictionary attack or a “man in the middle” attack. Brute force attacks can be particularly detrimental to password protected storage of encrypted data.